Daily Brief

A new wave of 60 malicious packages has been identified in the RubyGems ecosystem, masquerading as automation tools for social media and messaging services to steal user credentials. These malicious gems, active since March 2023, have been downloaded over 275,000 times, though not all downloads lead to execution or compromise. Threat actors using aliases like zon and nowon have embedded credential-stealing capabilities within these gems, targeting platforms like Instagram, Twitter, and Telegram. Some packages focus on financial forums, manipulating public perception by flooding discussions with investment narratives and synthetic engagement. The campaign primarily targets South Korean users, using Korean-language interfaces and exfiltrating data to .kr domains, indicating a sophisticated and persistent operation. Concurrently, GitLab reported typosquatting packages on PyPI designed to steal cryptocurrency from Bittensor wallets by exploiting staking functionalities. In response, PyPI has implemented new restrictions to prevent ZIP confusion attacks, aiming to reject compromised packages and enhance security for Python package installers.

Cyberint's report reveals a 160% increase in leaked credentials in 2025, highlighting a significant rise in unauthorized access incidents. Leaked credentials accounted for 22% of breaches in 2024, surpassing phishing and software exploitation as primary breach vectors. Automation and AI-driven tools have facilitated the theft and misuse of credentials, making it accessible even to low-skilled attackers. Cyberint's integration with SIEM and SOAR platforms allows for rapid response, including credential revocation and password resets. Nearly half of the devices involved in credential leaks lack endpoint monitoring, exposing blind spots in corporate security measures. Proactive detection of leaked credentials is crucial, as it reduces dwell time and minimizes potential damage from unauthorized access. Organizations are encouraged to monitor the open, deep, and dark web for exposed credentials to prevent further exploitation.

Microsoft plans to enhance security by blocking the outdated FPRPC protocol in Microsoft 365 apps for Windows starting August 2025, reducing exposure to legacy vulnerabilities. The update will affect file access protocols, with FPRPC being blocked by default in version 2508, while FTP and HTTP remain enabled unless manually disabled. New Trust Center settings will allow users to manage protocol settings, although Group Policy or Cloud Policy service can enforce stricter controls. This move follows Microsoft's broader strategy to update security defaults, including disabling legacy authentication protocols to prevent brute-force and phishing attacks. Administrators can manage these changes through the Cloud Policy service, ensuring compliance with organizational security policies. The initiative is part of Microsoft's ongoing efforts to phase out outdated technologies and enhance protection across its software ecosystem. Businesses using Microsoft 365 should prepare for these changes to avoid disruptions and ensure continued secure access to files.

Privacy groups have criticized the UK government for secretly allowing police access to passport and immigration databases for facial recognition, raising significant privacy and transparency concerns. The Home Office's lack of transparency has been labeled "astonishing" and "dangerous," with calls for a ban on the practice from organizations like Big Brother Watch and Privacy International. The databases in question contain approximately 58 million passport photos and 92 million images from immigration and visa sources, far exceeding the 20 million photos in the Police National Database. Police searches using these databases have dramatically increased, with passport database queries rising from two in 2020 to 417 by 2023, raising concerns about potential misuse. Critics argue that the use of facial recognition technology risks misidentification and injustice, especially when deployed without public knowledge or parliamentary oversight. Despite government claims of improved accuracy and reduced biases, privacy advocates highlight the minimal impact on crime prevention, citing only 0.15% of total arrests in London since 2020. The installation of the UK's first permanent live facial recognition camera in South London contradicts previous assurances of time-bound and targeted use, further fueling public distrust.

The UK has experienced an 88% increase in proxy server traffic as users explore alternatives to VPNs following the Online Safety Act's implementation. The Online Safety Act mandates age verification for accessing certain online content, prompting users to seek methods to bypass these restrictions. Proxy servers, unlike VPNs, offer selective routing and load balancing but lack end-to-end encryption, presenting both advantages and potential security concerns. Decodo reports a 65% rise in UK proxy users, indicating a shift in user preferences amidst regulatory changes. Businesses are considering proxies for enhanced control and reduced attack surfaces, as they integrate better with existing security policies. The SOCKS5 protocol in proxies offers operational security by masking traffic paths without altering packet headers, minimizing leak risks. Despite the increased proxy use, VPNs remain legal in the UK, but the trend reflects growing uncertainty about their future role. Decodo positions itself as a key player in the proxy market, advocating for their services as viable alternatives to traditional VPNs.

Columbia University experienced a significant data breach in May 2025, impacting nearly 870,000 individuals, including current and former students, employees, and applicants. The breach involved unauthorized access to the university's network, resulting in the theft of personal, financial, and health information. The compromised data includes names, dates of birth, Social Security numbers, contact details, academic history, and insurance-related information. Columbia University reported the breach to law enforcement after discovering it during a system outage in June and engaged external cybersecurity experts for investigation. The university has confirmed that no patient records from Columbia University Irving Medical Center were affected by the breach. To mitigate potential risks, Columbia is offering two years of free credit monitoring and identity theft restoration services to affected individuals through Kroll. While there is no current evidence of misuse, the breach underscores the need for robust data protection measures in educational institutions.

The U.S. Department of Homeland Security reported that Royal and BlackSuit ransomware groups compromised over 450 U.S. companies before their takedown. These cybercriminals targeted sectors including healthcare, education, public safety, energy, and government, extracting over $370 million in ransom payments. The ransomware operations employed double-extortion tactics, encrypting systems and threatening to leak stolen data to pressure victims into paying. Operation Checkmate, a collaborative international law enforcement effort, led to the seizure of BlackSuit’s dark web extortion domains. Initially linked to the Conti syndicate, the group evolved from using others' encryptors to developing their own, rebranding as Royal and later BlackSuit. Cisco Talos researchers suggest the group may now be rebranding as Chaos ransomware, continuing double extortion attacks with advanced social engineering techniques. The new Chaos ransomware operation reportedly uses voice-based social engineering and targets both local and remote storage for maximum impact.

GreedyBear has stolen over $1 million in cryptocurrency using more than 150 malicious Firefox extensions, targeting popular wallets like MetaMask and TronLink. The campaign employs "Extension Hollowing," a technique to bypass Mozilla's security checks by initially uploading benign extensions and later modifying them with malicious code. The fake extensions capture wallet credentials and IP addresses, sending data to a command-and-control server linked to a single IP address. GreedyBear's operation includes scam sites posing as cryptocurrency services and distributing malware through Russian sites offering pirated software. Evidence suggests the campaign is expanding to other browser marketplaces, with a similar attack detected on a Google Chrome extension. AI-powered tools are suspected in the creation of these malicious extensions, showcasing the increasing misuse of AI in cybercrime. The campaign's scale and scope have evolved, indicating a sophisticated and adaptable malware distribution network targeting cryptocurrency assets.

The UK's Online Safety Act aims to enhance online safety, particularly for children, by enforcing age verification and content restrictions on platforms like Spotify and Discord. Companies face potential penalties of up to 10% of global revenue or service blocks if they fail to comply, prompting widespread adoption of age-restriction measures. The Wikimedia Foundation expresses concerns over potential data breaches and privacy risks, fearing exposure of editor identities under the Act's stringent requirements. Critics, including the Electronic Frontier Foundation, argue that mandatory age verification tools threaten privacy and free speech, potentially causing more harm than protection. The Act has driven a surge in VPN usage, with ProtonVPN reporting a 1,400% increase in UK sign-ups, as users seek to bypass age verification requirements. The Age Verification Providers Association claims to conduct 5 million age checks daily, assuring data safety, though privacy concerns persist over data storage practices. Comparisons to historical prohibition efforts suggest that restrictive measures may lead to circumvention rather than compliance, questioning the Act's long-term effectiveness.

German researchers from VisionSpace Technologies demonstrated vulnerabilities in satellite and ground station software at the Black Hat conference, highlighting potential risks to space infrastructure. The presentation showcased how software flaws in applications like Yamcs and OpenC3 Cosmos could allow unauthorized control over satellite operations. Critical vulnerabilities were identified, including remote code execution and denial-of-service attacks, which could disrupt satellite functionality and control. The researchers found multiple CVEs in NASA's open-source software, affecting both satellite communication and encryption libraries. The vulnerabilities, while alarming, have been responsibly disclosed and addressed, mitigating immediate threats to satellite systems. The findings stress the need for robust security measures in satellite software to prevent potential exploitation and ensure the integrity of space assets. The rapid increase in satellite numbers, driven by commercial and military interests, underscores the urgency for enhanced cybersecurity protocols in space operations.

Researchers at Socket identified two NPM packages, naya-flore and nvlore-hsc, masquerading as WhatsApp development tools, which deploy destructive data-wiping code on developers' systems. These packages were downloaded over 1,100 times, posing a significant risk to developers using them for WhatsApp Business API integrations. The malicious code executes a 'rm -rf *' command, recursively deleting files on affected systems, while excluding certain Indonesian phone numbers from this action. Although Socket filed takedown requests, the packages remain available, and the publisher has submitted additional non-malicious packages that could potentially be weaponized. A dormant data exfiltration function exists within the packages, capable of extracting sensitive information, though it is currently disabled. In related findings, 11 malicious Go packages were discovered, using obfuscation techniques to execute remote payloads, affecting Linux CI servers and Windows workstations. Developers are advised to exercise extreme caution and thoroughly vet third-party libraries to mitigate risks of inadvertent code execution or data loss.

German researchers identified a critical vulnerability in Microsoft's Windows Hello system, allowing unauthorized biometric data injection, potentially compromising business security. The flaw enables local administrators or compromised accounts to insert facial or fingerprint scans, bypassing standard authentication protocols. The vulnerability affects business users relying on Hello for authentication with platforms like Entra ID and Active Directory. Microsoft's Enhanced Sign-in Security (ESS) can block the attack but is not universally supported across all devices. Researchers demonstrated the exploit at Black Hat, showcasing the ease of bypassing Hello's protections with minimal code. A comprehensive fix requires significant code changes or leveraging TPM modules, but feasibility remains uncertain. Users are advised to disable biometrics in favor of PINs if using Hello without ESS, pending further updates from Microsoft. The research, backed by Germany's Federal Office for IT Security, is ongoing, with more findings anticipated next spring.

CISA has issued an emergency directive for Federal Civilian Executive Branch agencies to address a critical Microsoft Exchange vulnerability, CVE-2025-53786, by Monday morning. The flaw allows attackers with administrative access to on-premises Exchange servers to infiltrate Microsoft cloud environments, risking complete domain compromise. Impacted systems include Microsoft Exchange Server 2016, 2019, and Subscription Edition, with potential lateral movement into cloud environments. Microsoft has provided a hotfix and guidance for mitigation, but manual actions are necessary to fully secure systems. Security researcher Dirk-Jan Mollema demonstrated the vulnerability at Black Hat, coordinating disclosure with Microsoft and CISA. Agencies must update systems, apply the hotfix, and switch to a dedicated service principal to prevent exploitation. While the directive targets federal agencies, CISA strongly advises all organizations using Microsoft Exchange to implement the recommended mitigations. Failure to address this vulnerability could lead to severe security breaches, affecting both government and private sector entities.

SocGholish malware, a JavaScript loader, is distributed via compromised websites, posing as browser or software updates to deceive users into downloading malicious payloads. The malware operates under a Malware-as-a-Service model, selling access to infected systems to cybercriminal groups, including Evil Corp, LockBit, Dridex, and Raspberry Robin. Traffic Distribution Systems like Parrot TDS and Keitaro TDS are employed to redirect web traffic to malicious sites, filtering users based on predefined criteria to maximize infection rates. Keitaro TDS, while having legitimate uses, complicates blocking efforts due to its dual-use nature, leading to potential false positives in network defenses. Recent campaigns show Raspberry Robin being used as a distribution vector for SocGholish, indicating collaboration among threat actors to enhance malware spread. Technical advancements in Raspberry Robin include improved obfuscation, changes in network communication, and a new local privilege escalation exploit, CVE-2024-38196. The ongoing evolution of malware like DarkCloud Stealer, which uses advanced obfuscation and process hollowing, reflects a broader trend in cyber threats adapting to evade detection. Organizations are advised to update security policies and employ robust detection mechanisms to mitigate risks associated with these evolving threats.

A sophisticated EDR killer tool, an evolution of 'EDRKillShifter,' has been deployed by eight ransomware groups, including RansomHub and Medusa, to disable security systems. The tool employs a heavily obfuscated binary, self-decoding at runtime, injected into legitimate applications to evade detection and escalate privileges. It targets security vendors like Sophos, Microsoft Defender, and Kaspersky by using a 'bring your own vulnerable driver' attack to gain kernel privileges. The tool masquerades as legitimate files, such as the CrowdStrike Falcon Sensor Driver, to disable AV/EDR processes and stop security services. Variants of this tool, differing in driver names and build characteristics, suggest a collaborative framework among threat groups, rather than a single leaked binary. Sophos notes the tool's development involves shared knowledge and resources among competing ransomware operators, a common practice in the cybercrime landscape. Complete indicators of compromise for this EDR killer tool are publicly available, aiding in defensive measures against these sophisticated attacks.